ASYMPTOTICALLY FAST GROUP OPERATIONS ON 
JACOBIANS OF GENERAL CURVES 
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Abstract. Let C be a curve of genus g over a field k. We describe probabiUstic 
algorithms for addition and inversion of the classes of rational divisors in the 
Jacobian of C. After a precomputation, which is done only once for the curve 
C, the algorithms use only linear algebra in vector spaces of dimension at 
most O(glogg), and so take 0{g^~^'^) field operations in k, using Gaussian 
elimination. Using fast algorithms for the linear algebra, one can improve this 
time to 0{g^'^^^). This represents a significant improvement over the previous 
record of 0{(/*) field operations (also after a precomputation) for general curves 
of genus g. 



1. Introduction 

Let C be a smooth projective geometrically irreducible algebraic curve of genus 
g over a field k. The Jacobian variety J of C is a (7-dimensional algebraic group 
that parametrizes the degree zero divisors on C, up to linear equivalence. The 
Jacobian plays a crucial role both in the theory and in the applications of the 
curve C, including cryptography and computational number theory. For all but 
the smallest g, it appears impractical to implement the group J(fc) algorithmically 
using an embedding of J into a projective space P : if we embed J using the 
complete linear series attached to 36 or 40 {Q being the theta divisor), then the 
equations of J can be described, but the dimension N grows exponentially with g; 
on the other hand, if we use an incomplete linear series, then the equations defining 
J become much more complicated. Instead, algorithms for J{k) generally work 
directly with fc-rational divisors on C, and keep track of their linear equivalence to 
reduce "complicated" divisors to simpler ones as needed. This gives a computational 
handle on the Picard group, Pic°(C), which is a subgroup of J{k) (the two groups 
agree if C{k) is nonempty). We shall nevertheless frequently abuse terminology and 
refer to the Jacobian instead of to the Picard group. 

In this article, we present what we believe are asymptotically the fastest algo- 
rithms to date that implement the group law on the Picard group of a general curve 
C, as the genus g grows. This assumes that C is given in one of two specific forms, 
which we call "Representation A" and "Representation B," with respect to which 
we can also represent divisors D on C. If we start with equations for C, we need 
to do a single initial precomputation to bring C into one of these two forms. For 
Representation A, this involves computing two Riemann-Roch spaces of the form 
-ff°(Oc(^i)) on C and a setting up a "multiplication table" /i between them, once 
and for all. For Representation B, we also need to describe the values of a basis for 
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a space [Oc'{Di)) at sufficiently many points of C; this allows us to speed up the 
multiplication fi, in a way analogous to representing polynomials by their values at 
many points instead of by their coefficients. After that, our algorithms boil down to 
linear algebra on certain matrices of size 0{g) x 0{g\ogg) = 0{g) x 0(5^+^), which 
arise from subspaces of the Riemann-Roch spaces above. For Representation A, our 
algorithms attain a complexity of 0{g^^'^) field operations in k per group operation 
(such as addition or negation) in the Jacobian, and this complexity holds even if 
we use Gaussian elimination rather than asymptotically faster algorithms for linear 
algebra. In the case of Representation B, the complexity is determined by the linear 
algebra. The current best algorithms ,CW9Q. allow us to attain a complexity of 
Q^g2.376^ using Representation B. Our algorithms are straightforward to implement 
and analyze — the author had an easy time programming the algorithms for the 
Jacobian group in GP/PARI |PAR,Ij . for the case of "Representation A," in a fairly 
short program file — but we naturally need more sophisticated techniques to prove 
that our algorithms give the correct answer. 

Our algorithms are probabilistic, since they have to find certain intermediate 
data ("an IGS" of a divisor D, defined in Sectional) for the computation by ran- 
dom search; the above complexity actually describes the expected number of field 
operations needed by our algorithms. Each trial to find an IGS for D has a proba- 
bility of success greater or equal to 1/2, and we can recognize an IGS once we have 
found it, so our algorithms are guaranteed to terminate with a correct result. Thus 
our probabilistic algorithms are of Las Vegas type. We have measured complexity 
by counting field operations in k instead of, say, bit operations, due to potential 
"coefficient explosion" in k. This is not an issue if k is finite, but is unavoidable 
if fc = Q (more generally, for number fields), since adding points on the Jacobian 
tends to increase their arithmetic height. This growth of coefficients will occur even 
if we carry out our linear algebra over Q in the best possible way, for example by 
incorporating LLL reduction throughout our algorithms. 

Prior to the results of this article, the best algorithms for Jacobians of general 
curves had a complexity of 0{g'^) after the initial precomputations, and were de- 
terministic. The complexity 0{g'^) was attained both in the 1999 Ph.D. thesis of 
F. Hess |Hes99| (see also |Hes02| '). and in a 2001 preprint of the author (published 
as |KM04a| 'l. whose methods we adapt and extend for this article. The methods 
of Hess, and of several predecessors of whom we cite only CanS^, can be called 
"arithmetic": they begin with a degree n map cp : C ^ F^, and view the func- 
tion field k{C) as a degree n extension of k{x). Then J{k) is essentially an ideal 
class group attached to k{C), and we compute with ideals of the integral closure 
of k[x] in fc(C) by representing them as lattices (i.e., free modules) over k[x]; one 
has to also consider the points of C lying over cx) e P^, and the implementation 
is somewhat involved. The methods of Hess and his predecessors work best if the 
minimum gonality n = degip remains bounded as g grows (for example, |Gan87| 
applies only to hyperelliptic curves, for which n = 2); in that case, their algorithms 
generally have complexity 0{g^). However, their methods are sensitive to n, and 
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if n grows linearly with g, as is the case^ for general curves of genus g, then the 
complexity of Hess' algorithms rises to 0{g^), as mentioned above. 

In contrast, the methods in 'K M04a| and in the present article can be called "geo- 
metric," in that we work with an embedding t : C — > P". We choose n moderately 
large, but still 0(g), and the two Riemann-Roch spaces that we need to compute 
are the restriction of linear and quadratic functions from the projective space to 
C. The "multiplication map" /i then multiplies two linear functions to produce a 
quadratic function. Once this is in place, the rest is linear algebra (the reader may 
wish to compare our approach with another use of linear algebra to study Jacobians 
in | And02| , where linear algebra on Riemann-Roch spaces and invariant theory are 
used to describe explicit equations for the Jacobian). In contrast to our methods, 
earlier "geometric" algorithms for Jacobians f |HI94j and |Vol94j ) preferred to work 
with n as small as possible, preferably n = 2, even if this meant using a singular 
plane curve birational to C. Their algorithms involved fairly elaborate computa- 
tions with polynomials of degree 0{g), to say nothing about the problems with 
singularities. The resulting complexity of those algorithms was 0{g'^) after pre- 
computations, and so those methods were superseded by the algorithms of Hess. 
The author hopes that this article and its predecessor |KM04a| will revive interest 
in the geometric approach to algorithms for curves. 

We also hope that this article will support a point of view explained in the 
introduction of 'KM04a' , namely, that it is profitable to do computational algebraic 
geometry with varieties embedded in Grassmannians. Here we represent points 
on Grassmannians as subspaces of a fixed vector space V, and use linear algebra 
throughout; we do not embed the Grassmannian variety into projective space, as the 
ambient projective space would be too large. In our setting, we represent a divisor 
D of degree d as a codimension d subspace Wd of V, which we can interpret as 
mapping the symmetric power variety Sym''(C) into a Grassmannian. We take d > 
2g, instead of the more usual approach d = g, because this simplifies our algorithms 
(essentially since the fibre in Sym'^(C) over a point of the Jacobian always has 
the same structure, a point used notably in Chow's projective construction of the 
Jacobian (Cho54) V We of course include an algorithm that determines whether 
two elements of Sym''(C) represent the same point on the Jacobian. For all this 
and more background, the reader is encouraged to consult |KM04a| alongside this 
article. 

The speedup in our new algorithms comes partially from the speedup of multi- 
plication in Representation B; however, the most significant improvement is due to 
our using an IGS for D instead of the whole space Wd at some strategic moments. 
This allows us to scale down the size of the matrices on which we need to do linear 
algebra, from 0{g) x O(g^) in 'KM04a' to 0{g) x 0((7^+^) in this article. It turns 
out that the larger matrices of KM04a contain redundant data, but it is still not 
clear if one can remove the redundant data by a fast deterministic algorithm. This 
is why our algorithms are probabilistic. 



^By )CtH94I . page 261, a general curve of genus g over C, or more generally over an algebraically 
closed field, has gonality [{g + 1)/2J -|- 1; over fc, the gonality can be higher. We also note the 
result of IAbr96l that the gonality of a modular curve such as Xq (N) also grows linearly with the 
genus, at least over C; interestingly, our algorithms are particularly suited for modular curves, 
since it is easier to describe them using Representation A or Representation B than by finding 
nice equations. 
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Remark 1.1. We have slightly changed notation between this paper and |KM04a| . 

We now use "multiplicative" notation to refer to line bundles on the curve C, instead 
of the "additive" notation that was used in most of the previous paper (actually, 
the previous paper occasionally used multiplicative notation as well). Here is a 
small table of old vs. new notation. 



Old Notation: 


New Notation: 




£1 (8) £2 


H°{Di - D2) 


H''{Oc{Di-D2)) 


H\2C -D-E) 


H'>{£^''{^D- E)) 



Remark 1.2. Throughout this article, we will view an mxrt matrix M (always with 
entries in k) as a linear transformation from fc" to /c™, viewed as column vectors. 
Thus u € fc" is mapped to Mv S fc™, and the notations ker Af and image Af should 
be interpreted accordingly. We shall need to refer to the complexity of the linear 
algebra steps in our algorithms, which include computing a kernel or an image of M 
and/or reduced row and column echelon forms, as well as multiplying matrices. (See 
Chapter 16 of |BCS97| or Chapter 6 of |AHU75| for a reduction of general linear 
algebra to matrix multiplication.) We denote by w the smallest exponent such that 
linear algebra on square n x n matrices has complexity 0{n'^~^'^), measured in field 
operations in k. The current record jCW90j is w < 2.376, and it is conjectured that 
Lu — 2. Gaussian elimination gives w < 3 elementarily, and in fact the complexity 
of Gaussian elimination on a rectangular m x n matrix is 0(r7in min(r7i, 71)). 

Remark 1.3. We use in this article the notation \a\ for the ceiling of a G R, i.e., 

(1.1) \a] = min{n eZ\n> a}. 

2. Representing the curve, and basic linear algebra operations 

In this section, we describe how we represent the curve C and how we implement 
the basic building blocks of our algorithms via linear algebra. We shall assume that 
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the curve C comes equipped with a hue bundle L of moderately large, but not too 
large, degree: 

(2.1) deg£ > 2g + 2, but nonetheless deg£ — 0{g). 

(We will typically take deg£ — 6g in applications.) We define /c- vector spaces V, 
V'hy 

(2.2) y = i/0(C,/:) =if"(£), V = H^'iCC®^) ^ H^'iC'^^). 
We also introduce the notation for dimensions and degrees 

A = deg £, A' = deg = 2A 

(2.3) 

5 = dim y = A + 1 - .g, (5' = dim = 2 A + 1 - g. 

Note that all the above quantities are 0{g). All our algorithms work over the field 
k, but for some of our proofs we need to consider points of C and elements of V 
defined over the algebraic closure k. 

The most important ingredient in our description of C is then the multiplication 
map fi on global sections, 

(2.4) ^^■.V(g>V = H'^iC) il°(£) ^ V ^ H°{C^^). 
We will use the shorthand notation 

(2.5) s -t = n{s(g)t) eV fors,ieF. 

Before specifying the precise form in which we represent /i algorithmically, we note 
the following. 

Proposition 2.1. We can determine C and C up to isomorphism from a knowledge 
of the multiplication map fj,. Moreover, given vector spaces V, V and a map fi, it 
is possible to determine whether they come from a pair (C, C) as above. 

Proof. For the first statement, assume that we are assured of the existence of some 
pair {C,C), but that we only know the map fi. We claim that the kernel of /i en- 
codes equations for C. Indeed, consider the embedding i : C — *■ P{V) = given 
by C Since A > 2g + 2, this embedding is projectively normal (in particular, fi 
is surjective), and the homogeneous ideal Ic C Sym* V defining t(C) is generated 
by quadrics (see for example 'Laz89 ). Concretely, we can identify Sym* y with 
k[Ti, . . . ,Ts], upon choosing a basis {Ti, . . . ,Ts} of V. The kernel of fj, trivially 
contains all "commutators" Ti (g) Tj — Tj (g) Ti . After we quotient out by these com- 
mutators, the image of ker /i inside the symmetric square Sym^ V then corresponds 
to the degree 2 elements of Ic- Since these generate Ic, we can hence recover C; 
we also obtain £ as the pullback of C'p(v')(l) to C. 

For the second statement, we check first that fi is surjective and symmetric (i.e., 
Ti ■ Tj — Tj ■ Ti for all i,j). The kernel of fi, when projected to Sym^ V^, then 
corresponds to a space of degree 2 polynomials in fc[T'i, . . . , T^], and we let / be the 
ideal generated by (a basis for) this space of degree 2 polynomials. We then check 
that the ideal / is saturated and that it defines a smooth projective curve C (e.g., 
using Grobner bases). We then determine the degree A and genus g of this curve 
C from the Hilbert series of /; this again gives C as the pullback of C'p(y)(l), with 
V C H^{C). We finally verify that dim ^ = A 1 - 5 to ensure that V = H°{£), 
i.e., that our embedding of C comes from the complete linear series. □ 
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Note that in light of the above proposition, wc can view V as the space of hnear 
"functions" and V' as the space of quadratic functions on the curve C with respect 
to the projective embedding l. 

For algorithmic purposes, we represent our knowledge V , V' , and fi in ei- 
ther of two ways. Representation A and Representation B, with the former more 
straightforward, and the latter asymptotically faster. We also single out a simple 
special case Representation Bq of Representation B, both for reasons of exposition 
and of ease of implementation. See Example 12.91 at the end of this section for an 
example of Representation A and Representation B. 

(1) Representation A: This method works over all fields. We choose bases 
{Ti, . . . , Ts} for V and {Ui,...,Us'} for V\ thereby identifying V and V 
with the spaces of column vectors and . Knowledge of fi is then 
encoded as a multiplication table, i.e., by storing the coefficients Cijk in 
each identity 

(2.6) T, ■ T, = fi{T, ® Tj) = J2 '^^okUk. 

k 

It is convenient to store this information as a collection {Mi, . . . , Ms} of 
matrices, each of size 5' x 5, such that Mi describes the linear transformation 
"multiphcation by T," from V ioV: 

I Cm Ci2i ■ . . Cisi \ 

Cil2 Ci22 • • • CiS2 

(2.7) M, = (cyfc)fcj = . . . 

\CilS' Ci2S' ■ ■ ■ CiSS' / 

(2) Representation Bq: We take a divisor Di such that C — Oc{Di). We 
also assume that we can find = A' + 1 distinct points Pi, ... , Pn G C{k) 
that are not in the support of Di. This is a nontrivial assumption if k is 
a number field, but is easy to arrange in cases of interest to cryptography, 
where fc is a finite field of large cardinality. We then represent V and V 
as certain subspaces of k^: namely, we have injections of vector spaces 
V k^ and V — > k^ given by 

(2.8) s^{s{Pi),...,s{Pn)), 

viewing s € V (respectively V') as a meromorphic function on C with poles 
at Di (respectively 2Di). Then the multiplication map fi is simply point- 
wise multiplication, since s ■ t corresponds to {s{Pi)t{Pi), . . . , s(P;v)i(Piv))- 
(Thus Representation Bq is analogous to representing a polynomial f{x) G 
k[x] of bounded degree by its vector of values (/(oi), . . . , /(a^v)) at suffi- 
ciently many points, in order to speed up the multiplication of polynomials.) 
In this setting, we represent C by our knowledge of the subspaces of k^ 
corresponding to V and V . It is most convenient to store a.n N x 6 ma- 
trix Ay whose columns are a basis of V (viewed as a subspace of k^), as 
well as the equivalent data of an (A^ — S) x N matrix Ky whose kernel is 
the subspace V. It turns out not to be necessary to store a basis for the 
subspace V , but we can always recover it, if needed, from the fact that /i 
in (|2.4|l is surjective. Note that there is no need to store any information 
that describes the map /i. 
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(3) Representation B: Even if we cannot find enough fc-rational points on C, 
we can still work with the following generalization under the mild assump- 
tion of H2.10|l (e.g., it is sufficient to assume that k is perfect). We take 
a fc-rational effective divisor Z on C, of degree N = degZ = 0{g), such 
that H^{C®^{-Z)) = 0. (We chose iV = A' + 1 and Z = Pi + • • • + Pat 
for Representation Bg.) We then wish to represent elements of V and V 
by their "values" at the points of Z . Here the values of a global section 
s ~ H^{C) at Z are given by the image of s in H^(^Cz), where we de- 
fine the sheaf Cz = C/£{-Z). We similarly define rf^ = / C^^ {- Z) , 
and view the values of an element of V at Z as belonging to i?°(£f^). 
By design, the natural fc-linear map V — > H'^i^Cz) is injective, and simi- 
larly for V' . Moreover, one can find compatible isomorphisms of sheaves of 
Oc-modules 

(2.9) if-.Cz-Oz, v®^:Cf^Oz, 

where Oz = Oc /Oc{—Z). This identifies V and V as fc-subspaces of the 
iV-dimensional fc-algebra A :~ H^{Oz), in a way such that the multipli- 
cation fjL becomes multiplication in A. We moreover need to assume the 
knowledge of an isomorphism of fc-algebras: 

(2.10) A = k[x]/{hi{x)) X • • • X k[x]/{hr{x)). 

We thus represent elements of A as tuples of polynomials {fi{x), . . . , fr{x)) 
with deg fi < deg hi . The coefficients of the fi identify A with fc^ as a 
fc-vector space; with respect to these coordinates, we can describe V by 
matrices Ay and Ky as in the case of Representation Bp. However, in this 
setting, we need to carry around the polynomials hi{x),. . . , hr{x) in order 
to know the multiplication map fi. Note that multiplying two elements of 
A can be done in time OiN^^") = 0{g^+^) by FFT-based methods. 

Remark 2.2. It is relatively straightforward to produce Representation A for a 
curve that is given in a more "classical" representation. For instance, we may be 
given polynomial equations that describe C in some projective space (where the 
embedding need not be given by a complete linear series). Alternatively, we may 
start with a representation of the function field of C as an extension k{x)[y] of the 
rational function field fc(a;), given by an equation f{x,y) — 0; this is tantamount 
to choosing a possibly singular plane curve birational to C. In either of these two 
cases, we choose a divisor Di of suitably large degree A, and let C = Oc{Di). We 
then use standard algorithms f |HI94j . |Vol94j . 'Hes02 ) for calculating the Riemann- 
Roch spaces V = H°{Oc{Di)) and V = iJ°(C'c(2£'i)). The muhiplication map 
jjL is then immediate in terms of the representation of V and V as subsets of the 
function field fc(C). 

Another situation where we can produce Representation A is that of modular 
curves. If our curve C is the completion of a quotient T\'H for some congruence 
subgroup r acting on the upper half-plane 7i, then we do not need to compute 
equations for C directly; instead, we take a suitable weight n (small values such as 
n e {2,3,4} usually suffice), and let V = MniJ") and V — A^2n(r) be the spaces 
of modular forms of weights n and 2n with respect to F. The map /x is then multi- 
plication of modular forms; one way in which the modular forms can be represented 
is by their g-expansions up to a suitable order 0{q^), where N is large enough to 
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distinguish elements of V' . These ^-expansions can be efficiently computed using 
modular symbols (see, e.g., |Ste04| 1. Note that working with g-expansions is essen- 
tially Representation B, where the divisor Z is the A^-fold multiple of the cusp at 
infinity. The author has also investigated Representation B for modular curves in 
the setting where one evaluates the form at several non-cuspidal points. 

Remark 2.3. Given a curve in Representation B, one can immediately convert the 
curve to Representation A. Conversely, given a curve in Representation A, we sketch 
in Section |5l how to convert this to Representation B, under some assumptions on 
the field k. 

Remark 2.4. For uniformity of notation, we extend the definition of TV so that in 
the case of Representation A, we have N = 6. Thus both in Representation A and 
in Representation B, we will identify V with a subspace of , viewed as column 
vectors: 

(1) If we use Representation A, then V — k^; in this case we can consider that 
Av is the N x N identity matrix. 

(2) If we use Representation B, then V — imagery — kei Ky. 

We similarly define N' by N' = 6' in the case of Representation A, and TV' = iV in 
the case of Representation B, so that V' is identified with a subspace of k^ . 

We will also need to represent (fc-rational) subspaces W C V and W C V . If 
r = dimW^, then we represent W nonuniquely by an x r matrix Aw, whose 
columns give a basis for W (viewing the columns as elements of V). Thus we have 
an inclusion image Aw C imagery corresponding to the inclusion W G V. We 
similarly represent an r'-dimensional subspace W' C V by an N' x r' matrix Aw' 
with image An// = W' . Note finally that the numbers N and N', as well as the 
smaller r and r', are all 0{g), regardless of whether we use Representation A or 
Representation B. 

Our algorithms will represent divisors as certain subspaces of V and of V' , and 
will all involve the following linear algebra techniques: 

Definition 2.5. Given subspaces W C V and W C V , and given elements 
s, si, . . . , Sh G V, we define the following: 

(1) The simple multiplication s • is the subspace of V' defined by 

(2.11) s-W ^ {s-t\teW}. 

(2) The sum of products si-W + - ■ ■ + Sh-W C V is the usual sum of subspaces. 
(We can view this as a "full multiplication" between S — spanjsi, . . . ,Sh} 
and W.) 

(3) The division W' {si, . . . , s/j} is the subspace of V given by 

(2.12) W' {si, ...,Sh}^{teV\t-s,eW', for all 1 < i < h}. 

The above operations were used in the algorithms of jKM04a| . with h = 0{g), 
but we shall only need the case h = 0{g'^) in this article. We can immediately 
describe the complexity of the above operations, measured as usual in the number 
of fc-operations. The exponent lo in the complexity of linear algebra was mentioned 
in Remark 1 1.21 

Proposition/ Algorithm 2.6. Assume that h — 0{g'^). Using Representation A, 
we can: 
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(1) Find one product s ■ t with complexity 0{g^). 

(2) Compute a simple multiplication s ■ W with complexity 0{g^). 

(3) Compute a sum of products si ■ W + ■ ■ ■ + Sh ■ W with complexity 0{g^^'^). 

(4) Compute a division W' {si, . . . , Sh\ with complexity 0{g'^'^'^). 

Proof. (1) Our representation of elements of V as tuples in fc^, via the basis 
{Ti\ for V ^ means that we are given s — CiTi in the form of the column 
vector *(ci, . . . , cn)- It is useful to produce the N' x N matrix Mg which 
describes the linear transformation "multiplication by s" from V to V': 

(2.13) Ms = ^ CjM,, Mi as in l|T7jl . 

i 

Also viewing t as a column vector in , we then compute s-t = Mgt. Here 
computing Mg has complexity 0{g^), and multiplying Mgt has complexity 
0{g^). (Alternatively, we could have expanded s ■ t using the coefficients 
Cijk of the multiplication table H2.6|l . for the same complexity.) 
(2) We are given the matrix Aw, as in Remark |2. 41 Compute the matrix Mg 



as above, with complexity 0{g ); then form the matrix product Ag. 



w 



MgAw- We remain within complexity O(g^), even if we use fast matrix 
multiplication. Note that the naive method of multiplying s by each column 
of W would have had complexity 0{g'^). 

(3) Compute the matrices Ag-^.w, • ■ • , Ag^.w- So far, this requires a complexity 
of 0{g^h). Then our desired result is the image of the block matrix A' = 

(^Agj^.w ■ ■ ■ Ag^^.w^, whose size is 0{g) x 0{gh). We then find a basis 

for image A' by linear algebra, with complexity 0{g^h) if we use Gaussian 
elimination, and 0{{gh)'^^'^) by fast methods. Our total complexity is then 
0{g'+n. 

(4) Let r' — dimiy. From the N' x r' matrix A^', we use linear algebra to 
produce an {N' — r') x N' matrix Kw' whose kernel is W; the complexity 
of this is dominated by what comes next. Then our desired result is 

/Kw'Mg,' 

(2.14) ^(14^,^1,^,...,,^}) =kerP, where P = : 

\Kw'Mg,^ 

This takes complexity 0{g^h) to produce the {Mg.}, then 0{g'^^'^h) to 
obtain P. The matrix P has size [{N' - r')h) x N = 0{gh) x 0(g), and 
finding its kernel has a complexity of 0((g/i)'^+^) (even if we use Gaussian 
elimination, the time is still dominated by finding the Mg.). 

□ 

Note that for Representation A, there is no asymptotic advantage to using fast 
linear algebra; we can carry out the operations of Proposition/Algorithm 12.61 us- 
ing Gaussian elimination with the same complexity, albeit with a higher implied 
constant in the O(-) notation. On the other hand. Representation B benefits sig- 
nificantly from fast linear algebra. 

Proposition/ Algorithm 2.7. Assume that h = 0{g'^). Using Representation B, 
we can: 

(1) Find one product s ■ t with complexity 0{g^~^'^). 
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(2) Compute a simple multiplication s ■ W with complexity 0{g^^'^). 

(3) Compute a sum of products si ■ W + ■ ■ ■ + Sh ■ W with complexity 0{g'^^'^). 

(4) Compute a division W' {si, . . . , Sh] with complexity 0{g^^'^). 

Proof. This is largely the same as the previous result, except that the bottleneck 
caused by finding matrices of the form Mg can be bypassed. We indicate the 
necessary modifications. Note that if we use Representation Bq, then the first two 
statements hold without including e in the exponents. 

(1) Recall that we represent s,i as elements of the algebra A (which is just 
k X ■ ■ ■ X k for Representation Bq, in which case the result is even easier), 
and we can multiply two elements of A by FFT-techniques. 

(2) Either multiply s by each column of A\\r separately. We note for later 
use the fact that the N' x N = N x N matrix Mg is block diagonal with 
a structure that allows fast multiplication by FFT — the matrix Mg is 
furthermore genuinely diagonal in the case of Representation Bq. Hence the 
multiplication MgAw can be done with complexity 0{g^~^'^). If we want, 
we can actually produce Mg by directly multiplying s by each element in 
our basis for A = . This also has complexity 0(17^+'^); it corresponds to 
replacing Ayy by the identity matrix. 

(3) Here it only takes us complexity 0{g^^'^h) to produce the matrix A' , so the 
result follows. 

(4) First note that the matrix P must be replaced by a slightly larger matrix 
Q that includes an extra subblock Ky as mentioned in our descriptions of 
Representation Bq and Representation B: 



(2.15) = kerQ, where Q 



( Kv \ 

Kw'Mg, 



\Kw'MgJ 

This ensures that elements of ker Q genuinely belong to V, which is a proper 
subspace of k^ . This does not affect the asymptotics of the linear algebra 
to find kerQ, since Q still has size 0{gh) x 0{g). As for finding Q in the 
first place, note that the product matrices {Kw'Mg.} can be computed 
with complexity 0{g^'^'^). This is particularly clear for Representation Bq, 
since M^. is a diagonal matrix. The proof in general uses the transposi- 
tion principle. Indeed, since the complexity using FFT-based algorithms 
of multiplying Mg.v for any column vector v € k^ is 0(5^"*"'), it follows 
that one can just as quickly (perhaps with a "larger" e) multiply wMg. for 
any A'^-dimensional row vector w. Applying this to the rows of Kw' , we 
obtain our result. Alternatively, we can give a more pedestrian approach 
to finding Q: this takes a slightly higher complexity of 0(g"+'), but does 
not affect the final complexity of division. Simply produce all the matrices 
Mg. , which requires complexity 0{g^^'^h), and then multiply them by a fast 
algorithm with the matrix Kw> ■ 

□ 

All our later algorithms will be built up from the operations that we have in- 
troduced in the above two Proposition / Algorithms and VH\ We shall use the 
following terminology. 
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Definition 2.8. A fast algorithm is one that requires a complexity of 0{g^'^'^) 
field operations in k using Representation A, and that requires a complexity of 
0{g'^'^'^) using Representation B. We will also define fast probabilistic algorithms of 
Las Vegas type to be those whose expected running time is of the above complexity. 
(Recall that a probabilistic algorithm is called of Las Vegas type if it either returns 
an answer which is guaranteed to be correct, with a probability that is bounded 
below by a fixed positive number, or if it returns "failure." This is in contrast to 
Monte Carlo probabilistic algorithms, for which the answer in the first instance 
may be wrong, also with a bound on the probability of error.) 

We conclude this section with a concrete example of a curve as given in Rep- 
resentation A and Representation B, in order to clarify the precise input to our 
algorithms. 

Example 2.9. Let C be the elliptic curve given by the Weierstrass equation = 
+ 1 over a field k not of characteristic 2 or 3. We choose as our line bundle 
£ = Oci^Poo), where Poo S C{k) is the point at infinity. We choose bases for V 
and V (which we view as subsets of fc(C)): 

{f/i, . . . , C/s} = {1, X, y, x^, xy, x^.x^y, x'^}. 

Thus, using Representation A, we would have 72 • Ta = Uc, and T^i, ■ T^i — Ui + Uq. 
The reader is encouraged to write down the matrices Mi of (|2.7|l . which will be 
the entire description of our curve C; in particular, our representation never works 
with the variables x and y, but only with the multiplication table giving each T,; • Tj 
in terms of the C/fc's. 

To illustrate Representation B, we take A; = Q, and take the divisor Z of degree 
TV = 9 to be 
(2.17) 

Z = (0, 1) + (-1, 0) + (2, 3) + (2, -3) + (2 + V5, 5 + 4\/2) + (2 - \/2, 5 - 4V2) + iP^. 

Note that the individual points need not be defined over Q, but the divisor Z 
is nonetheless rational over Q. Here we have chosen the map of H2.9|l to be 
multiplication by at and to be the identity away from P^^- In other words, 
the natural trivialization of £ = Cc(4Poo) on the complement of P^o allows us to 
directly evaluate elements of or V^', viewed as elements of the function field, at 
the six "finite" points of Z; since the values of a Q-rational element at the points 
(2 ± a/2, 5 ± 4^2) are conjugate elements of the extension Q[\/2], the values at 
these two points are completely described by a single element of Q[\/2]. This is 
equivalent to noting that these two conjugate points on C{k) correspond to a single 
point on the scheme C, with residue field Q[\/2]. 

As for evaluating at the remaining point Poo (to third order), we "evaluate" an 
element s ^ V hy evaluating the function field element sx^'^, which is regular at 
Poo, to third order at that point. More precisely, we take the first three terms 
sx~^ = uq + ait + a2t^ + 0{t^) in the power series expansion of sx~'^ in terms of 
a uniformizer t of the discrete valuation at Poo- (Specifically, we choose t ~ x/y, 
so that X = t^^ + O^f^) and y = t^^ + 0{t^). Also, if we wanted to evaluate an 
element s' G V at 3Poo, we would need to take the third-order expansion of s'x~'^ 
in terms of t.) Putting all this together, we see that the algebra A of "values at Z" 
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can be identified with 

(2.18) A^QxQxQxQx Q[u]/{u^ - 2) x Q[t]/{t^), 

where u corresponds to V2, and the "values" of the basis elements oiV a,i Z are 
(1, 1, 1,1,1 + Oii, + Ot + Ot^) e A corresponding to Ti ^ 1, 
(0, -1, 2, 2, 2 + w, + + t^) corresponding to T2 <-> x, 

(2 19) 

(1,0,3, -3,5 + 4w,0 + i + 0t^) corresponding to T3 ^ y, 

(0, 1, 4, 4, 12 + 8u, 1 + Ot + Ot^) corresponding to T4 <^ x^. 



Each element of above corresponds to a column of the 9x4 matrix Av\ for 
example, the third column is *(1, 0, 3, —3, 5, 4, 0, 1, 0). The matrix Ay, along with 
the identification of A with via (|2.18|) (especially the polynomial equations 
— 2 = and = 0), then constitute our description of C in Representation B. 
Note that we have not bothered to slavishly follow (|2.10|l in the sense of writing 
the first four factors of A as quotients of univariate polynomial rings instead of as 
Q (e.g., by having the first four factors be Q,[w]/{'w) instead). What we have done 
instead is to combine ideas from Representation Bo and Representation B. 

3. Representing divisors; algorithms for divisor classes 

We now turn to the representation of divisors on C . We begin with some nota- 
tion. Given a divisor D and a P e C{k), we write vp{D) for the multiplicity of P in 
D\ hence D — vp{D)P, a finite sum. We write {s)c, or (s) if £ is understood, 
for the divisor of zeros of a nonzero section s € H^{C): 

(3.1) (s) = (s)£= ^cAs)P- 

Pec(k) 

Here vc,p{s) is the valuation of s at the point P E C{k). Note that (s) is an 
effective divisor, with deg(s) = deg£ = A. Moreover, the linear equivalence class 
of (s) is the same as that of the line bundle £, and so is independent of the choice 
of s. Note also that since s G is rational over k, so is the divisor (s), even though 
the individual points where (s) vanishes might be defined over an extension of k. 

Definition 3.1. Let Z? be a fc-rational effective divisor on C. 
(1) We define the (/c-rational) subspaces 

WD^{seV\VPe C(k),vc,p{s) > vp{D)} ^ H°{C{~D)) C V, 
W'u = {s' e y I VP e C(k),VcmAs') > vpiD)} = H"{C^^{-D)) c v. 



(3.2) 



Thus Wd and W'jj consist respectively of those linear or quadratic functions 
on C that vanish at D, counting multiplicity. We allow D = 0, in which 
case Wd = V,W'jj = V'. 
(2) Take a subset S <ZV containing at least one nonzero element. We say that 
S is an ideal generating set (abbreviated to IGS) for D, or equivalently that 
D is the divisor of common zeros of 5*, if 

(3.3) yPeC(k), vp{D) ^iam{vp{s) \ s e S}. 

We occasionally abuse terminology and call S an IGS for Wd- 
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Note that the divisor of common zeros of S is the same as that of the fc-subspace 
of V spanned by S. The terminology IGS comes from the interpretation of a divisor 
D on (an afhne part of) C as an ideal in a Dedekind domain. 

Clearly, an IGS for D exists if and only if the line bundle C{—D) is base point 
free, in which case Wd itself (or even just a basis for Wd) will be an IGS. The 
divisor D is then uniquely determined by any IGS S, as it can be viewed as the 
GCD of the divisors {(s) | 7^ s e S*}. Thus we represent our divisors as follows: 

Definition 3.2. Assume that D is an effective /c-rational divisor. By abuse of 
terminology, we say that Wd is base point free if the line bundle C{—D) is base 
point free. 

(1) If Wd is base point free, then a full representation of D is any matrix Aw^ 
whose columns (as in Remark |2.4() are a basis for the subspace Wd- 

(2) If Wd is base point free, then a brief representation of D is any IGS 
{si, . . . , Sh} for D, where we store the Si £V as column vectors in . 

In particular, if is a subspace of V whose divisor of common zeros is Z?, 
then any basis for W can be viewed as a brief representation of D. The follow- 
ing proposition collects some elementary facts that play an important role in our 
algorithms. 

Proposition 3.3. Let D be an effective k-rational divisor of degree d (we allow 
D = 0). Recall that A = deg £ > 2^ + 2. 

(1) If d < A — 2g, then Wd is base point free. Further, dim Wjj = 6 — d has 
codimension d in V . 

(2) If d < 2 A — 2g, then a similar statement holds for the subspace W^ C V . 

(3) Take a nonzero s GV with {s)c — E- Then the simple multiplication s-Wd 
is 



(3.4) s-Wd = W'j^ 



D+E- 

If furthermore d < A — 2g, then both Wd and W^^^ are base point free. 
(4) Let S = {si, . . . ,Sh} be an IGS for D. Let E be an effective k-rational 
divisor, preferably but not necessarily such that W^_^_^ is base point free. 
Then the division W^^^ ~ S is 

(3.5) W'd+e -^S^We. 

Proof. Easy considerations about valuations and the Riemann-Roch theorem; the 
main ideas are present in |KM04a| . Incidentally, one can also define Wp ^ S for 
arbitrary divisors F; the result is then Wf\d, in the sense of Proposition/ Algorithm 
3.9 of jKMn4^ . □ 

Our next goal is to explain that, with good probability, a random selection of 
relatively few elements of a base point free space Wd is an IGS for D. Moreover, 
it is easy to test whether any given subset of Wd is an IGS, in the setting of our 
application. This enables us to convert easily between the full and brief represen- 
tations of D. We first clarify what we mean by a random selection of elements of 
Wd, and then state our result precisely. 

Definition 3.4. Let S C A: be a finite subset, and let |E| be its cardinality. (If k 
is itself finite, we usually take S = k.) Let W cV he a. subspace, and choose once 
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and for all a basis {wi, . . . , Wr} for W. We define a ^-random element t G W to 
be an element of the form 

(3.6) t = CiWi + • ■ ■ + CrWr, Ci, . . . , € E, 

where the Ci are chosen independently and randomly with respect to the uniform 
probability distribution on E. Our notation does not indicate the dependence on 
the choice of basis {wi, . . . , Wr}, even though this affects the distribution, because 
the final results on random selection of an IGS are independent of this choice of 
basis. Note that choosing a E-random element t requires 0(r log |E|) random bits 
to produce ci, . . . , c^, followed by 0{rg) = 0{g'^) field operations in k for the hnear 
combination. We will mainly consider sets E that are not too large: |E| = 0{g)\ it 
is also reasonable to take |E| — 0(1), which is the case if fc is a finite field. 

Theorem 3.5. Let D he an effective k-rational divisor with d — AegD < A — 2g. 

(1) Take a finite set T, <Z k as above. Define 

(3.7) /i = l+riog2(A-d)/log|En. 

Take any nonzero si G Wd, and choose, Yi-randomly and independently, 
h—1 elements S2, . . . , s/i € Wd- Then with probability greater than or equal 
to 1/2, the set {si, . . . , Sh} is an IGS for D. 

(2) Independently of part f assume that 2g — 1 < d < A. Let h be any integer, 
and take elements si, . . . , G Wd- Then {si, . . . , Sh} is an IGS for D if 
and only if the sum of products si - V + - - - + Sh - V satisfies 

(3.8) si-V + --- + Sh-V = W'o- 

Proof. Part 1 follows from Proposition 14.31 with A4 = C{—D) and r/ ~ 1/2. Note 
that the result still holds even if we choose S2, - - - , Sh independently and E-randomly 
from a subspace W C Wd whose divisor of common zeros is D. Part 2 is Proposi- 
tion EjU □ 

Remark 3.6. Since both A and d are of size 0{g), we therefore can obtain a 
randomly chosen IGS of size h — 0(l + {\ogg/ log |E|)) = 0{g^) in fewer than two 
attempts on average. This is a considerable improvement over using a basis of Wd , 
which would contain 0{g) elements, and which would slow down the algorithms 
of Proposition / Algorithms ITBl and [T7I This (along with the insight to use Repre- 
sentation B) is the source of the essential speedup in this article, compared to the 
algorithms of |KM04aj . 

Using the framework of Section [21 and this section, we now describe how to 
convert between the full and brief representations of a divisor D. We also introduce 
the important "flipping" algorithm. 

Proposition/ Algorithm 3.7 (Deflation). Assume given a subspace Wd C V 
which is the full representation of a divisor D with 2g — 1 < dcgD < A — 2g. 
Then there exists a fast probabilistic Las Vegas algorithm that computes a brief 
representation {si, . . . , Sh} of D, with h = 0{g'^)- We call this a deflation of D; 
even though the deflation is not unique, we still write 

(3.9) Defl(W^D) = {si, ■ ■ ■ , s/i}, where {si, Sh} is any IGS for D. 

Proof. We know that deg D — dim V — dim Wd - This means that we know the 
dimension dim = dim V — degD, even though we have not yet computed the 
subspace W'jj. We now run the following algorithm: 
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(1) Compute the value of h from l|3.7|l . and randomly choose si, . . . ,Sh G Wd 
as in Theorem 13.51 above. 

(2) Form the sum of products W' — si ■ V + ■■■ + Sh ■ V hy our fast algorithm. 
If dimVK' dimVF^, then our choice of {si, . . . ,Sh} was not an IGS, so 
return to step 1. Once the dimVt^' ~ dim W^, stop and output the {si}. 

The complexity of step 1 (including generating the random bits and forming each 
Si) is 0{g^h) = 0(17^^'^), which can be brought down slightly if one views producing 
{■32, . . . , Sft} as a matrix multiplication of by a random matrix with entries in 
E. As for step 2, we have W C W^, so checking the criterion of (|3.8|) amounts 
to comparing dimensions. Our choice of the {si} fails this test with probability 
at least 1/2, so the expected number of times that we go through the loop is at 
most 2. □ 

Converting back from a brief to a full representation of a divisor, which we call 
"inflation," requires an IGS for V. This should be computed once and for all as 
part of our precomputations when we store the representation of C and /i for our 
algorithms. The rest of our algorithms do not use inflation, but we include it for 
completeness. As for the IGS for V, we do not need it to implement the group 
operations on divisor classes on C, but we do need to have it available for the 
"membership test" of Section 0] which tests whether a given subspace W C V is 
equal to some Wd- 

Lemma/ Algorithm 3.8 (IGS for V). There exists a polynomial- complexity, but 
not "fast, " Las Vegas algorithm that can be done exactly once as a precomputation 
to produce an IGS for V. We shall call the (nonunique) result Defl(T^). 

Proof. As we wish to produce an IGS for the empty divisor D = 0, we cannot use 
part 2 of Theorem 13 . 51 here . We need to go beyond the linear and quadratic spaces 
V and V to a "cubic" space V" = i?°(£®3)^ ^^ite the product of s G V" and 
t' e V a,s s * t' e V"; then the condition for {si, . . . , Sh} C to be an IGS for V 
is 

(3.10) si^V + --- + Sh'fV' ^ V". 

There is no problem in choosing the {s;} from V that have a probability of at 
least 1 /2 of being an IGS for V . Carrying out the modified sum of products in l|3.10|l . 
however, needs a knowledge of the space V" and of the higher multiplication map 
* -.V xV' ^ V"; the problem is to produce this data, after which checking (|3.10() is 
easy. (The data giving V" and * can incidentally be discarded once we find an IGS 
for V.) To find this data, we can use Representation A by Remark 12.31 Then, as in 
Proposition we let {Ti, . . . Ts} be a basis for V, and work with the polynomial 
algebra k[Ti,.. . ,Ts]. The kernel of fi allows us to find generators of the ideal 
Ic, and we can identify V, V, and V" respectively as the portions of the graded 
algebra k[Ti, . . . ,Ts]/Ic in degrees 1, 2, and 3, with the obvious multiphcations. 
Thus finding V" and * can be done by Grobner bases; the computations involve 
only linear algebra in the spaces of polynomials in A:[ri, . . . , Ts] of degree at most 3, 
whose dimension is 0{g^). Thus the computation can be done with a complexity 
that is polynomial in g. □ 

Proposition/Algorithm 3.9 (Infiation). Given a precomputcd IGS forV , assume 
we are given a brief representation {si, . . . , Sh\ of a divisor D, with h = 0{g'^). 
Assume that we know that degD > 2g — l. Then there exists a (deterministic) fast 
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algorithm to find the full representation Wd, which we call the inflation of the IGS 

{si, . . . ,s/i}; 

(3.11) 

Infl({si, . . . , Sh\) = Wd, D = the divisor of common zeros of {si, . . . , Sh\- 

Proof. The obvious algorithm is: 

(1) Calculate the sum of products W'jj — si ■ V + ■ ■ ■ + Sh ■ V . 

(2) Use the previously computed IGS, Defl(F), to find Wd = W'jj^ Dcfl(y). 

□ 

The next Proposition/ Algorithm is fundamental for our algorithms on divisors 
and divisor classes. Given D, it allows us to find a complementary (effective) divisor 
D such that D + D is in the linear equivalence class of C. 

Proposition/ Algorithm 3.10 (Flipping). Assume given Wd, where 2g — 1 < 
degD < A— 2(7. Take a nonzero s € Wd, and write the divisor of s as {s)c = D+D. 
Then there exists a fast Las Vegas algorithm to compute the flip, Wj^, of our divisor: 

(3.12) F\ip{WD,s)^Wf,. 

Proof Compute W^^{s-V)~ Dei[{WD)- This works because s-V ^ ^'d+d- ° 

Remark 3.11. We will write Wfj = Flip(Wi)), without specifying s, if the precise 
choice of s does not matter. 

We can now describe the basic setup for implementing group operations on the 
Jacobian, or more precisely on the classes of fc-rational divisors. We will describe our 
algorithms in the context of the "large model" of jKM04a] . as well as a slight variant. 
It is possible to generalize our ideas to the "medium" and "small" models described 
in that article, but the large model is sufficient to demonstrate the asymptotic 
speedup of our new algorithms. 

Definition 3.12. The large model of the curve C is defined as follows. We implic- 
itly assume that g > 2, although everything works (possibly with some increase in 
degrees of divisors) for g < 1. 

(1) We choose a degree d > 2g, with d = 0{g) nonetheless, and we fix once 
and for all an effective A:-rational divisor Dq with deg Dq = d. 

(2) We define our basic line bundle by £ = OciiDo), and represent the spaces 
V and V as well as the multiplication map ^ using either Representation 
A or Representation B. Note that A = 3c?. 

(3) Given an effective fc-rational divisor D, we say that D is small if deg D = d, 
and large if deg D = 2d. 

(4) If Z3 is a small divisor, then let xd be the linear equivalence class of D — Dq 
in the Jacobian of C. Then we represent the element xd of the divisor by 
the space Wd- Similarly, if D is a large divisor, then define Xd to be the 
linear equivalence class of D — 2Do, and let the space Wd represent xd . 

(5) We calculate and store ahead of time the spaces Wdq and Wido, as well as 
an IGS for each space, and a specific SQ) unique up to a nonzero factor in 
A:, such that {sq)c = 3Do- (Thus sq corresponds to the element 1 S A:(C), 
viewed as an element of 77°(C'c(3£'o))-) 
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(6) If we need to perform the membership test of Proposition /Algorithm ic^ 
or inflation as in Proposition/ Algorithm|^2l then compute and store ahead 
of time an IGS Defl(y) for V as mentioned above. 

Remark 3.13. Some assorted remarks: 

(1) If the divisor D is small, then Wd (respectively, W^) has codimension d in 
V (respectively, in V'). If D is large, then the codimension is 2d. Moreover, 
if D is small, then its complementary divisor D = Flip(£') is large, and vice- 
versa. We see that D and D represent inverse points on the Jacobian, since 
D + D is linearly equivalent to SDq. 

(2) We do not specifically need the spaces Wdq and W2D0 ■ We can use instead 
spaces Weo and Wei, where the divisor Eq is linearly equivalent to Dq, 
and El = Flip{WEo, ^0) for some nonzero choice of sq € Weq- (It follows 
that El is linearly equivalent to 2Do.) 

(3) When choosing the divisor Dq and the degree d, it is best to make d as 
small as possible, i.e., d — 2g or perhaps d = 2g + 2 (which is useful in some 
contexts). It may however be difficult in practice to find effective divisors 
of a specific degree that are rational over the base field k, especially if k is 
a number field (unless the curve C comes equipped with a known rational 
point). 

(4) Assume that we start with a different representation of C before our pre- 
computation (e.g., as an equation for a singular plane curve birational to 
C). We should also extend the precomputations of Remark l2.2l to compute 
some spaces Wd, for divisors D that are supplied to us along with C (e.g., 
as formal sums of points on the plane curve), and with which we wish to 
later do computations in the Jacobian of C. 

(5) A side note: the divisor Di in the definition of Representation Bq and 
Remark 10 is Di = SDq. 

We postpone until Section 01 a discussion of how to quickly test whether a given 
subspace W C V, having the correct dimension, actually is of the form Wd for 
a small or large D — that membership test requires slightly different techniques 
from the other algorithms, which in any case will be used much more often. Instead, 
we begin with a test for equality on the Jacobian. Observe in this and our later 
algorithms that we always perform a division by a deflation of a subspace, i.e., using 
a small IGS instead of the entire subspace representing a divisor. 

Proposition/ Algorithm 3.14 (Equality of divisor classes). Assume given two 
spaces Wd and We, corresponding to divisors D and E that are either both small 
or both large. The the following is a fast Las Vegas algorithm to test whether D 
and E are linearly equivalent, i.e., whether xd = xe on the Jacobian of C: 

(1) Take any nonzero s € Wd and calculate W = (s ■ We) Defl(VF£)). 

(2) Then D and E are linearly equivalent if and only if the space W is nonzero. 

Proof. This is Theorem/ Algorithm 4.1 of |KM04aj . In brief, write {s)c = D + D, 
with D + D linearly equivalent to 3Dq. Then s ■ We — ^'d+d+e' obtain 
W — Wi=)_^_^ upon division. Since deg{D + E) = 3d — A, the space Wjj_^^ is 
nonzero precisely when D + E is linearly equivalent to 3Dq, which is equivalent 
to D and E being linearly equivalent. Note that deg{D + E) is larger than our 



18 



KAMAL KHURI-MAKDISI 



usual degree bounds; our computation of the space Wjj_^^ is nonetheless correct, 
as explained in |KM04a| . □ 

For implementing group operations on the Jacobian, we shall be content with 
describing one operation, "addflip" : 

Definition 3.15. Given two elements x,y in the Jacobian of C (actually, in any 
abelian group that is written additively), we define their addflip to be 

(3.13) Addflip(a;, y) ^ -{x + y). 

Note that given this operation, it is of course immediate to compute inverses, via 
~x — Addflip(x, 0), and hence to compute sums, via x + y = — Addflip(a;, y). 

In the original large model from KM04a , we represented an element of the 
Jacobian using only Wd for a small divisor D. In that context, we can implement 
the addflip as follows. 

Proposition/ Algorithm 3.16 (Addflip of small divisors). Assume given two sub- 
spaces Wd and We, representing small divisors D and E, and elements xd,xe 
of the Jacobian of C . divisors. Then the following is a fast Las Vegas algo- 
rithm to compute a space Wp, for a suitable small divisor F, such that xp — 
Addflip (a; £), x^;); 

(1) Choose a nonzero s € Wd, and compute Wj^ — Flip(M^£), s). (Note that D 
is a large divisor.) 

(2) Compute Wd+e = (s • We) Befi(Wf,). (Note that D + E is a large 
divisor.) 

(3) Flip the result to obtain Wp = V^vp(Wd+e)- 

Proof. This is Proposition/ Algorithm 4.3 of |KM04a| . using the second method of 
adding divisors (Theorem/ Algorithm 3.13 of that earlier article). As in Proposi- 
tion/Algorithm above, we have s ■ We = W^^^^^^j so our computation of 
Wd+e is correct. Step 3 shows that D + E + F \s linearly equivalent to ?>Dq, and 
hence xd -\- xe + xp = Q ot^ the Jacobian. □ 

Remark 3.17. To evaluate Addflip ( 0, x^;), we of take D = Dq and s = sq. This 
allows us to skip step 1, and simplify step 2, since we already know a deflation of 
the space Wfj — W2Do- 

As a variant, we can represent all elements on the Jacobian using large divisors. 
The resulting algorithm for addflip is given below. Since D is now large, the space 
Wd has smaller dimension than in our original large model. This will make some 
computations faster, especially since we do fewer basic operations in this algorithm 
than in Proposition / Algorithm ITT^ 

Proposition/ Algorithm 3.18 (Addflip of large divisors). Given two elements 
xd,xe of the Jacobian, represented by Wd,We for large divisors D.E, we can 
compute Wp for a large divisor F that represents Xp = Addflip (xd, xb) by the 
following fast Las Vegas algorithm: 

(1) Compute Wjj = ¥\vp{Wd). (Note that D is a small divisor.) 

(2) Choose a nonzero s G Wp, so (s) = E + E. Compute Wj^^j^ — (s • Wf^) 

De?i{WE). 

(3) Our desired result is Wp = Wjj,j^. 
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Proof. The inverses ~xd and —xe in the Jacobian are given by the hnear equiv- 
alence classes of I? — Dq and E — Dq. Thus the divisor F = D + E represents 
-xd-xe- □ 

4. Randomly selecting an IGS, with verification; membership test 

In the first part of this section, we are given an effective fc-rational divisor D 
for which Wd is base point free, and we let W C Wd be a subspace whose divisor 
of common zeros is D (in most applications, W — Wd)- We wish to study the 
probability that a suitable random selection of si, . . . , € is an IGS for D. In 
order to clarify what is going on, we shall work with the line bundle M — C{—D). 
Then we can view W as a. base point free subspace of H^{M), more precisely as a 
base point free linear series of the line bundle M.. We hence wish to determine the 
probability that there is no point common to all the divisors (si)^, . . . , {sh)M- 

Lemma 4.1. Let M he a base point free line bundle on C . Let W C H^{AA) he a 
ha.se point free subspace. Fix a nonzero element si £ W . 

(1) There exist proper subspaces iJi, . . . , Hi C W , with £ < degM, with the 
following property: 

(4.1) {.S2&W \ {si,S2} is NOT an IGS for H°{M)} =HiU...UHe. 

(2) More generally, let h>2, and view a selection of S2, ■ . ■ , Sh €z W as a tuple 



as m 



{s2t . ■ . , Sh) in the vector space W ^. Then, with the same {Hi\ 
part 1, 

{{s2,...,Sh) e W^-^ I {si,...,Sh} is NOT an IGS for H°{M)} 

(4.2) 

^{H^f-^yj ...yj{Hif~\ 

Proof. Let Pi,. . . ,Pi G C(fc) be the distinct points where s vanishes. Thus £ < 
degA^. Define Hi to be the fc-rational subspace {t S W\vM.Pi{t) > 1} of sections 
vanishing at Pi. Since W is base point free, we have Hi C W . Then both sides 
of H4.2|l express the fact that all of S2, . . . , s/i also vanish at one of the Pi. □ 

The next lemma is an abstract statement about linear algebra; we have adapted 
it from a result in |BG04| . 

Lemma 4.2. Let W he a vector space over k, with basis {wi, . . . , w^}. Take a finite 
subset Yi <Z k, and consider Y,-random elements ofW in the sense of Definition \cl.4\ 
Let Hi , . . . , Hi C. W be proper subspaces. 

(1) For a Yi-random element t G W , 

(4.3) Pr(t e i?i U .. .UiJf) < ^/|S]|. 

(2) For a tuple {ti, . . . ,tj) ^ of independent Yi-random elements ti, . . . ,tj e 
W, 

(4.4) Pr((ti, . . . ,t,) e {HiY U . . . U {H,y) < 

Proof. Both statements easily reduce to the case £ = 1, so we assume from now on 
that we only have one subspace H — Hi C. W. We can find an (r — l)-dimensional 
hyperplane H' <ZW containing H . Hence there exist constants ai, . . . , G fc, not 
all zero, such that 

(4.5) t — ciWi + • • • + CrWr G H =^ t <E H' 4==^ flici + • • • + a,c,- = 0. 
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Without loss of generality, say that ai ^ 0. Then for every choice of values of 
C2, . . . , Cr S S, there exists exactly one value of ci G A; for which t Cz H' , hence at 
most one value of ci for which t d H; it is furthermore possible that ci ^ S. So at 
most choices of tuples (ci, . . . , c,.) e S'' lead to t £ H, whence Pi{t e 77) < 

1/1 SI. It follows that Pi-(^{ti,...,tj) e H^^ <l/\Y.\^. This proves our result. □ 
Combining the above two lemmas, we immediately obtain: 

Proposition 4.3. Keep the assumptions and notation of Lemmas \4-l\ OLnd \4-'A 
above. Take < i] < 1, and define 

(4.6) h = l+ [(logdegA^ - log77)/log|Sn . 

For a fixed nonzero si G W , let S2, ■ . . , £ W be independently chosen Y,-random 
elements. Then 

(4.7) Pr({si, . . . , Sh} IS an IGS for H°{M)j > 1 - 

Proof. Immediate, once we note that j = /i — 1 in our previous notation, and that 
e<degM. □ 

Corollary 4.4. // k is infinite, then every base point free subspace W contains an 
IGS with two elements. 

We are now ready for a more precise statement about random sections giving an 
IGS, when fc is a finite field. We thus take E = fc; a E-random element of a vector 
space W is thus a random element of the finite set W, chosen using the uniform 
distribution. We first note two simple facts. 

Lemma 4.5. Assume that k = F^. For £ > 1, let Ng be the number of degree I 
irreducible divisors on C (i.e., divisors of the form D = Pi + ■ ■ ■ + Pg, where the £ 
points {Pi, . . . , Pg} are a single Galois orbit). Then 

(4.8) m<j{q' + l + 2gq'/^). 

Proof. The Ng irreducible divisors give rise to £Ng distinct F^* -rational points on 
C. However, |C(Fq«)| < q^ + I + 2gq^/^ by the simplest form of the Weil bounds 
(see for example Appendix C of |Har77| '). □ 

Lemma 4.6. Assume that k — Fq, and that degM = T + 2g — 1 with T > 1. 
Ghoose random si,...,Sh G i?°(A^) independently with the uniform distribution. 
Then the probability that the sections have a common zero (i.e., that they are not 
an IGS) is at most 

(4.9) Niq-'' + N2q-^'' + ■■■ + Nrq-^^ + Nr+iq-^^ + ■■■ + NT+2g-iq~^^. 

Proof. For each irreducible divisor D, the probability that a given section vanishes 
at D is \H^{M{-D))\/\H°{M) \ = q'", where c is the codimension of iJ"(A^ (-£>)) 
in II^{^A). Thus the probability that h sections all vanish at D is q"^''. Now by 
Riemann-Roch, we have that c = degZ? when 1 < degl? < T, and c > T when 
degZ? > T. Moreover, we know that if degZ? > T + 2g, then H°{Mi-D)) = {0}, 
so in that case simultaneous vanishing at D can happen only if all the sections are 
identically zero — but we have already accounted for this situation in considering 
divisors of smaller degree. Adding up for all irreducible D the probability that the 
sections simultaneously vanish at D yields the upper bound (|4.9|) . □ 
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Remark 4.7. In the above proof, we have not tried to bound the "overcounting"; 
for example, if Di and D2 are distinct irreducible divisors, then we have counted 
twice the contribution to (|4.9|) of the probability that the sections all vanish at 
Di + Z?2- Heuristically, at least when T — > 00, the events of vanishing at two 
(or more) divisors Z3i,Z?2 should be independent, with probabilities q^'^°sDi ^^^^ 
q~ '^°sD2 ^ gQ f-Qj. large, a good heuristic estimate of the probability that h random 
sections do not yield an IGS is given by 

00 

(4.10) i-na-,-"r'-i-5^. 

where Zc{s) is the zeta function of C. This is analogous to a standard elementary 
statement that the "probability" that two integers m,n d Z are relatively prime 
(i.e., that {m,n} is an IGS!) is Dp primc(l " P"') = 1/C(2) = G/tt^ Now Zeis) 
is a rational function of g^*, and its expansion near q^^ = (i.e., as s — > 00) 
gives us 1 — 1/Zc{h) = Niq^'^ + 0{q^^'^). Thus if we want this quantity to be 
less than 77, wc can try the heuristic approximation h — \\og{Ni/T])/ \ogq)~\. Now 
.^1 < q + 1 + 2g^, so if we fix q and let g become large, we obtain a value 
h^log{2gy^/T])/\og{q) ~ 0{1 +\og{g/r])/logq), in line with our results. 

We can now state and prove our result Proposition 14.81 for finite fields. Even 
though our algorithms rely on the simpler ProDOsition l4 . HI the significance of Propo- 
sition ^21 is that the value of h given below does not depend on T, once T is com- 
parable to or larger than g. Also note that if g or g is large, then the constant 6 
in (|4.11() can be reduced significantly. However, the result of Proposition 14.81 onlv 
works if we randomly select our sections from the entire space H'^{A4), and not a 
subspace W. 

Proposition 4.8. Assume that k ~ Fq, and that degA4 = T + 2g — 1 with g > I 
and T > 2. Let < i] < 1, and define 

(4.11) h = max ^1 

Then a uniform random choice ofh sections from H^{Ai) is an IGS with probability 
> 1 - 77. 

Proof. By Lemmas 14.51 and 14.61 the probability of not being an IGS is bounded 
above by the quantity 

T T+2g-l 

(4.12) P = ^i(g^ + l + 2.gg^/2),-^''+ ^ i(g^ + 1 + 2.gg^/2)q-^^ 

e=i e=T+i 

We wish to show that P < rj. We use the following elementary estimates that hold 
for ^ > M > 1, g > 2, and a > 1: 

^ g-2- _^ iV _ M + 1 





"2.g - 1^ 


,1 + 


"log(6g/?7)" 


) 




T- 1 


logg 





(4.13) 



1=1 ^ ^ ' e=M 

V^g^<^.^<^- fig ^/^<^ 
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(The constant 3.5 is a simple upper bound for 1/(1 — g ^/^) when q > 2.) From 
these, we easily estimate that 



P < 1.5 



(4.14) 



^-Th+T+2g-l 



^gq 



-{h-1/2) 



+ 



T+1 



2 + {2g- l)g-(^+29-i) + 75g-(^+2f-i)/^ 



(Note that ft, — 1 > 1.) Equation H4.11|l now implies that q^ < rj/Gg, and also 
that -Th + T + 2g- 1 < 1- h < 0. Since furthermore T + 2g - 1 > 3 , we obtain 



(4.15) 



P < 1.5 

1] 



< 



6 



+ + Jul 

6.9 &gq 6^ 

1.5 1.5 3 

—+—+—+ 

g gg 



6(r+ l).g 
(2 - q-')g-' 



25-1 



2q 



q- q 

-3 I 7„-1.5 



1.5 



T+1 



< V, 



since g > 2, g > 1, and T > 2. This gives the desired result. 



□ 



Our second topic in this section is to discuss how to verify whether our random 
selection of sections is indeed an IGS. The same techniques also give our algorithm 
for membership testing. We prove both these results after two preliminary lemmas. 
We return to considering a line bundle £, of degree A > 2g + 2, and subspaces of 
the form Wd C V, W'jj C V for effective /c-rational divisors D. 

Lemma 4.9. Let D be an effective divisor for which Wd is base point free. Then 
degD < A. Morover, we have the following relation between degD and the codi- 
mension ofWo in V: 

(1) //codimW/) < A — 2g. then degD = codimW^o. 

(2) If codiiaWD > A - 2.g + 1, then degD > A- 2g + 1. 

Proof. The first statement follows because Z? is a "factor" of the divisor of any 
nonzero s € Wd, but deg(s)£ = A. The statements about the codimension are 
straightforward (extend scalars to k, start with D = 0, and add one point at a time 

□ 



to D). 

Lemma 4.10. Assume given nonzero ti,t2 
common zeros of ti,t2. Define W' — ti ■ V 
codimension of W in V' satisfies 

(4.16) codimW^' = diixiH^ {Oc{D)) - 1 ^ 



e V such that D is the divisor of 
^t2 - v. Then W C W'r,, and the 



g = deg D + dim [Oc [D)) . 



In particular, if degD > 2g ~ 1, then W' — Wd. 



Proof. Write {ti)c ^ D + Ei and {t2)c ~ D + E2, where Ei and E2 are disjoint 
effective divisors. Now ti ■ V — W'^_^^^ and t2 ■ V ^ ^d+E2' t^^nce trivially 
W' C W^. We now use codim VF' = codim(try)+codim(t2-y)-codim(trT/nt2-l^) 
to show (mini). By construction, ti-Vnt2-V = W^d+e^+e^- '!>iow D+Ei andD+£;2 
are in the linear equivalence class of £, so C®'^ {— D — Ei — E2) = Oc{D). Therefore 
dimWij^E^^E,^ = dim H°{Oc{D)), and its codimension is 6' - dim H° {OciD)) = 
2A + 1 - 5 - dim i/°(Oc (£>)). On the other hand, both <i • V and t2 ■ V have 
codimension A in V'. This proves H4.16|l . As for the last statement, note that the 
assumption on deg 13 implies that codimVF' = deg 13. However, we always have 
W' C W'ei , and moreover codim W'j^ — deg D (use Lemma 14.91 to get deg D < A < 
2 A - 2g). Thus W' ^Wd, as desired. □ 
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Proposition 4.11. The criterion of part 2 of Theorem \S.,^ is correct. 

Proof. It is enough to prove the statement after extending scalars to k (any infinite 
field will do). Let S C Wd be the subspace spanned hy si, . . . , s^. Then the divisor 
of common zeros oi S is D + F for some effective divisor F, and {si, . . . , s^} is an 
IGS for D if and only if F = 0. By CoroUarv 14.41 there exist ti,t2 e S whose 
divisor of common zeros is also D + F. We have 

(4.17) ti-V + t2-V csi ■¥+■■■ + Sh-V c W'u+F C W^). 

Apply the final statement of Lemma [4.11)1 to the divisor D + F, whose degree is at 
least 2g— 1 by the assumption on degD; we conclude that si-V + . . . Sh-V — Wjj_^_p, 
with codimension degD + degF. This yields the desired result. □ 

Proposition/ Algorithm 4.12 (Membership test). Given a subspace W C V, 
write c — codimM^ (in V), and assume that 2g < c < deg£ — 2g. Define h = 
1 + [log 2A/ log |E|] . Let D be the divisor of common zeros of W , so W G Wd- 
Then the following is a fast algorithm to check if W — Wd , under the assumption 
that we have precomputed an IGS Defl(y) for V as in Lemma /Algorithm I.V. 

(1) Select si,...,Sh G W in the usual way (take any si ^ 0, and choose the 
rest Ti -randomly), and calculate 

(4.18) U' ^si ■¥+■■■ + Sh-V. 

Write c' — codimJJ' (in V). If c' > c, then go back to step 1. Else, 
if c' < c, then conclude that W ^ Wd and stop. Otherwise (if c' — c), 
continue. 

(2) Compute U = U' ^ Defl(y). // [/ = ly, then conclude that W ^ Wd- 
Otherwise, conclude that W ^ Wd- 

Froof. By statement (1) of Lemma 14.91 we have c > codimWD = degD. Our 
choice of h (which is still 0{g^)) implies that {si, . . . ,Sh} is an IGS for D with 
probability at least 1/2, independently of degD. As in Proposition l4.11l we extend 
scalars to k, and write S = spanjsi, . . . , Sh], with divisor of common zeros D + F; 
we have _F at least half the time. Again let ti,t2 G S have divisor of common 
zeros D + F, to obtain the same inclusions as in 14.17|l . 

We now discuss what happens in the two cases W — Wd and W ^ Wd- 

(1) li W — Wd, then degD — c, and we obtain as in Proposition 14. 1 1| that 
c' — deg{D + F); thus c' — c = degi^ > 0. We therefore repeat the loop in 
step 1 at most twice on average until we have = 0, at which point we also 
obtain U' = Wjj. It follows that the division in step 2 computes U = Wd, 
so the test correctly concludes that W = Wd- 

(2) If W ^ Wd, then degD < c. We distinguish four scenarios: 

(a) deg(D + F) < 2g — 1: Let F' be any effective divisor for which 
deg(i:» + F + F') 25 - 1, and note that dim H°{Oc{D + F)) < 
dim H"{Oc{D + F + F')) = g. By Lemma QUI we know that 
c' < codimii ■ V + 12 ■ V < 2g — 1 < c. Hence the test correctly 
concludes that W ^ Wd in step 1. 

(b) 2g — 1 < deg{D + F) < c: in this and in the following scenarios, we 
have c' — deg{D + F) and U' = W^_^_p, as in the previous proposition. 
So in this particular scenario, c' < c, and we conclude that W ^ Wd 
in step 1. 
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(c) deg{D + F) = c: This time, c' = c, and we move on to step 2, where 
we compute U = Wd+f- It foUows that W U, because D is the 
divisor of common zeros of W, whereas F 7^ (its degree is c — deg D). 
Thus step 2 correctly concludes that W 7^ Wd- 

(d) c < deg(-D + F): Here c' > c, so we repeat step 1. This happens 
less than half the time, since if F = we must have already landed 
in scenario a or b above. Thus we loop in step 1 at most twice on 
average. 

□ 

Remark 4.13. Our original "slow" algorithm for testing whether W = Wd, The- 
orem/Algorithm 3.14 of |KM04aj . was to compute Flip(VF) and to see if the result 
had the expected dimension. There, the flip was implemented using a division by a 
basis for W, which was an IGS for D. We unfortunately cannot do the same using 
a random selection of /i = 0{g'^) elements from W as our IGS, because we would 
not be able to quickly verify whether our random selection actually was an IGS (we 
do not know deg 13 in advance, and it is moreover likely that the deg 13 < 2g — 1). 

5. Converting from Representation A to Representation B 

Our goal in this section is to give a brief sketch, under some conditions on k 
given below, of how we can convert a curve C given using Representation A into 
a description of C using Representation B. This is a precomputation that we only 
need to do once, so we will be satisfied with an efficient algorithm (as defined below), 
which is essentially polynomial time, but not necessarily of complexity 0{g^~^'^). 

We emphasize, however, that if it is at all possible to find enough points in C{k) 
so as to use the simpler form Representation Bq, then we should do so, even if we 
do not bother with fast linear algebra. For example, this should not pose a problem 
if k = Fq with q very large compared to g, since then |C(Fq)| is comparable to q. 

In this section, we maintain the following two assumptions about our field k. 
Both of these assumptions hold if is a finite field or a number field. 

(1) The field k is perfect. 

(2) There exists an efficient algorithm to compute the primary decomposition 
(including finding the radical) of a finite-dimensional A;-algebra A. 

The second condition can, nontrivially, be replaced by our being able to efficiently 
factor (univariate) polynomials in k[x]. Here an efficient algorithm means that 
if = dim^ = 0{g), then we have a Las Vegas algorithm with an expected 
complexity that is polynomial in g, where we need to measure complexity in terms 
of both field operations and factorizations of degree 0{N) polynomials in k[x]. As 
examples of algorithms for primary decomposition and the computation of radicals, 
we mention the articles |EGOO| . |Kem02| . and |DGP99| . and the articles cited in 
their bibliographies. 

For an extended treatment of the material in this section, including many details 
omitted here as well as a fairly self-contained algorithm for primary decomposition, 
the reader is referred to Sections 6 and 7 of KM04b . 

Starting from Representation A, we can as before produce the projective coor- 
dinate ring of C, as in Proposition 12.11 and Lemma / Algorithm 13.81 this is 

(5.1) 0i?°(£®")-fc[ri,...,T,]//c. 

n>0 
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We choose the divisor Z for Representation B to be 

(5.2) Z = 3(Ti)£ = (r3)£«3. 

Note that if we view £ — Oc{Di), then we can take Z = 3Di. Here degZ — 3 A, 
which aUows us to faithfully represent elements of V and V' by their "values" at Z. 
The values in question belong to the algebra A = H^{Oz), which has dimension 
3 A = 0(.g). 

Proposition 5.1. We can efficiently find a description of A in terms of a basis 
and a multiplication table for A x A ^ A (similarly to (|2.6(l and 12.7(1 ). In the 
process, we also obtain the images of Ti, . . . ,Ts as linear combinations of our basis 
for A, which allows us to identify V with a specific subspace of A. 

Sketch of proof . View Z as a zero-dimensional subscheme of the projective space 
containing C. Its projective coordinate ring is then k[Ti, . . . , Ts]/[lc + (Ti)). We 
however need to find the affine coordinate ring A of Z. We first deal with an easy 
case, when {Ti, T2} is an IGS for V. (This can be arranged, for example, if k has 
at least 2A elements, since we can then choose T2 randomly with a good chance 
of getting an IGS, which we can verify as in Lemma/ Algorithm 13.81 ) In this easy 
case, the scheme Z lies entirely in the affine open subset of projective space given 
by 12 ^0, so we can take 

(5.3) A = H\Oz) = k[T,, Ts]/{lc + (T^) + (T2 - 1)). 

The images of Ti,. .. ,Ts in A are the obvious ones. We can find a basis and 
multiplication table for A using Grobner bases, or by a more direct approach that 
uses our linear algebra algorithms on subspaces of for n < 8, which more 

clearly shows that the algorithm is efficient. 

As for the more general case, we need to consider all affine open subsets given 
by Tj ^ for 2 < j < (5. (It suffices in fact to consider 2 < j < h, where 
{Ti, T2, . . . , T/,,} is an IGS for V.) For each such j, we form the quotient ring 
of ((5.3|l , but with Tj instead of T2 . The quotient ring is then H'^ {Ozj ) , where Zj is 
the portion of Z lying in the affine open set {Tj 7^ 0}. It is then possible to put the 
{H'^{Ozj)} together, while eliminating redundancy from the intersections Zi n Zj, 
to obtain A as above. (Roughly speaking, remove Z2 from Z using a division, then 
remove any part of Z3 from what remains, and so forth, finding the affine algebra 
of each piece; then A is the product of these partial affine algebras.) All this can 
again be done using only linear algebra on subspaces of 77° for n < 8. □ 

Now that we have represented ^ in a form suitable for computation, we use 
our ability to find primary decompositions to decompose A into a product of local 
Artinian A;-algebras: 

(5.4) A = BiX---xBr. 

This decomposition corresponds to writing Z — eiYi + . . . CrYr for distinct irre- 
ducible divisors Yi (cf. Lemma [4.5(1 . Thus the above decomposition expresses the 
canonical isomorphism 

(5.5) H°{Oz) = H°{Oe,Yj X • • • X i?"(a„F„). 

Let R be the affine coordinate ring of any fixed open subset of C that contains 
Z. Then each irreducible divisor Yi corresponds to a maximal ideal Pi of the 
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Dedekind domain R, and Z corresponds to the ideal J ~ Pf^ • • •P^''. Then the 
above decompositions are just the Chinese Remainder Theorem: 

(5.6) R/J ^ P/Pi^ X • • • X R/P^-. 

We will use the existence of R and the Pi to clarify our exposition, but we point out 
that we do not compute R at all; all our calculations occur in the finite-dimensional 
algebra A and in certain vector space subquotients such as the Bi . 

Specifically, the primary decomposition algorithm gives us an explicit basis for 
each Bi, viewing Bi as a /c-subspace of A. We simultaneously obtain, via the 
computation of the radical, a basis for the maximal ideal pi of Bi] here the inclusion 

C Bi corresponds to Pi /Pi' C R/Pi'- Write Li for the residue field Bi/pi = 
R/Pi] in terms of fi = [Li : k], we have dmikBi = Cifi. Using our multiplication 
table for A., we can easily implement the ring operations in either Bi or Li. We can 
also determine any fc-linear dependencies between the elements of any finite subset 
{Pi, . . . , Pi} C Bi, or between their reductions {P^, . . . , C Li. 

We now sketch how to find an explicit isomorphism of each Bi with a fc-algebra 
of the form k[x\ / {hi{x)) , in order to obtain the isomorphism of H2.10|l . Finding such 
an isomorphism is equivalent to finding a "primitive element" for the algebra Bi, 
which as we shall see is possible because k is perfect and because of the relation with 
the Dedekind domain R. For notational convenience, we shall drop the subscript i. 

Proposition 5.2. Given, as above, p d B with dim^ B = ef , we can efficiently 
compute an element P Cz B whose minimal polynomial h{x) £ k[x\ has degree ef . 

Sketch of proof . We first find a primitive element /3 G L = B/p, and its irreducible 
minimum polynomial g(x) g k[x], where degg{x) = f = [L : k]. This is straightfor- 
ward: for example, we can select random P (one can show that the probability of 
selecting a primitive element is good), and, for each candidate P, find its minimal 
polynomial g{x) by looking for /c-dependencies between {1, /?,..., We repeat 
this process until we find P for which degg{x) = /. We now look for a lift P £ B oi 
P whose minimal polynomial is h{x) = {g{x)Y . This is trivial if e = 1, as any lift 
will do. If e > 2, then we see that it suffices to find a lift P for which g{P) e p — 
(since, in that case, g{P) G B comes from an element of R with valuation 1 at the 
prime p). Take an arbitrary hft /3o of p. Since g{P) — 0, we know that g{Po) € p. 
If in fact g{Po) ^ p^, then we can take P = Pq. Otherwise, replace Po by Po + 7, 
where we take any 7 G p — p^. This yields 

(5.7) giPo+j)^giPo)+g'iPoh + Oij^)=g'iPoh (mod p^). 

Since the extension L/k is separable, we have g'{P) 7^ 0, from which g' {Po) is a unit 
in B, and we obtain what we want. □ 
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